Cyber-physical system defense

ABSTRACT

System and techniques for cyber-physical system defense are described herein. Sensor disagreements between a plurality of sensors over time can be sampled. Cluster analysis on the sampled sensor disagreements can be performed. A deviation indication can be provided in response to the cluster analysis resulting in disagreement density beyond a threshold.

CLAIM OF PRIORITY

This patent application is a continuation of, and claims the benefit ofpriority, under 35 U.S.C. § 120, to U.S. patent application Ser. No.14/660,278, titled “CYBER-PHYSICAL SYSTEM DEFENSE” and filed on Mar. 17,2015, which claim the benefit of priority, under 35 U.S.C. § 119, toU.S. Provisional Application Ser. No. 61/955,669, titled “CLOUD BASEDSYSTEM AWARE CYBER SECURITY AND RELATED METHODS THEREOF” and filed onMar. 19, 2014, and also claims priority to U.S. Provisional ApplicationSer. No. 62/075,179, titled “SYSTEM AWARE CYBER SECURITY AND RELATEDMETHODS THEREOF” and filed on Nov. 4, 2014, the entirety of all arehereby incorporated by reference herein.

TECHNICAL FIELD

Embodiments described herein generally relate to system security andmore specifically to cyber-physical system defense.

BACKGROUND

Cyber-physical systems combine computational, communication, sensory andcontrol capabilities to monitor and regulate physical domain processes.Cyber-physical systems broadly focus on monitoring and controlling aphysical process, and may include capabilities to: sense the physicalworld (e.g., the position of a valve controlling a tank fillingprocess); make decisions (e.g., whether it is necessary to open or closethe valve); and perform actions in physical world (e.g. open or closevalve to maintain tank fluid level). Cyber-physical systems are becomingincreasingly prevalent, filing roles in the civilian (e.g., power grid,public utility services, financial infrastructure, etc.) and defense(e.g., search and rescue missions and command, control, and conquer (C3)systems) spaces.

Cyber-physical systems are becoming increasingly accessible to attackersvia increased network access to communication with control rooms,command and control stations, other computer based systems and networkssuch as the Internet. Examples of cyber-physical systems includetransportation networks, unmanned aerial vehicles (UAV's), nuclear powergeneration, electric power distribution networks, water and gasdistribution networks, and advanced communication systems. Currenttechnology has often introduced the capability of integratinginformation from numerous instrumentation and control systems andtransmitting the information to operations personnel in a timely manner.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings, which are not necessarily drawn to scale, like numeralsmay describe similar components in different views. Like numerals havingdifferent letter suffixes may represent different instances of similarcomponents. The drawings illustrate generally, by way of example, butnot by way of limitation, various embodiments discussed in the presentdocument.

FIG. 1 is a block diagram of an example of an environment including asystem for cyber-physical defense, according to an embodiment.

FIGS. 2A and 2B illustrates an example of a disagreement signal clusteranalysis timeline, according to an embodiment.

FIG. 3 illustrates an example of a deviating sensor decision tree,according to an embodiment.

FIG. 4 illustrates an example of a method for cyber-physical defense,according to an embodiment.

FIG. 5 is a block diagram illustrating an example of a machine uponwhich one or more embodiments may be implemented.

DETAILED DESCRIPTION

Due to the increased vulnerability of cyber-physical systems givengreater remote access as well as the reliance of these automated systemson control systems without human input, security is an importantconsideration. Traditionally, security is implemented via perimeterdefense—such as such as firewalls, intrusion detection mechanisms,anti-viral signature software, encryption, and advanced userauthentication—designed to prevent an attacker from gaining control ofthe cyber-physical system. While the application of perimeter securitytechnologies has been used to address attacks, the rate of successfulattacks against critical infrastructures continues to be increasinglyproblematic. Furthermore, the trend in adversarial attacks is movingtoward well-formed coordinated multi-vector attacks that compromise thesystem in such a way that detection and identification is challengingfor perimeter security solutions. Furthermore, an asymmetrical conflictarises where defending against attacks is expensive while actuallyperforming attacks is becomingly increasingly inexpensive. That is, theattacker may take time to probe a defense perimeter, identify a weakpoint, and exploit it while the defender must spend inordinate resourcesto identify and fixe weak points ahead of time while being giving verylittle time to address an attack on an overlooked weak point.

To address the problem of cyber-physical system defense given above, thebehavior of multiple redundant (in both type and number) sensors can beused to produce a robust platform for the cyber-physical system control.Further, disagreements between the sensors can be analyzed to identifyperiods in which an attack is likely, such as when noted disagreementscluster together. Such a cluster analysis addresses the practicalreality that disparate sensors may not agree at all times, however, arelikely to reflect a pattern of disagreement during normative (e.g.,normal and not under attack) operations. Further, to address whether ornot a single disagreement has occurred between two disparate sensors,the data from these sensors can be statistically analyzed to determinewhether it deviates from a known probability distribution (e.g., arandom normal distribution). Moreover, individual sensor disagreementscan be analyzed via a logical pairing structure (e.g., a decision tree)to identify the component suspected of being compromised in an attack.By using these techniques, a cyber-physical system includes robust andongoing defense of attacks that may have breached other defensemechanisms, such as perimeter security mechanisms.

FIG. 1 is a block diagram of an example of an environment 100 includinga system 145 for cyber-physical defense, according to an embodiment. Thefollowing discussion generally uses the example of a simplified UAVnavigation control system. However, the discussed techniques areapplicable to other cyber-physical control systems as long as a knownprobability distribution between sensor readings can be established.

The environment 100 includes a UAV 105 with a control system 110. Thecontrol system 110 can include a navigation component 130, a sensorarray 115, and a system defense component 145. The navigation component103 can include a position estimate module 135 that takes an inertialnavigation system output and feedback from a Kalman filter 140 as inputsand produces a navigation signal that is combined with a satellitenavigation system (e.g., global position system, GLONASS, Galileo,Beidou, etc.) output and used in the Kalman filter 140 to producenavigation resolution for the UAV 105. The navigation resolution can beused to determined which actuators of the UAV to manipulate and how theyare to be manipulated to pilot the IAV 105. The sensor array 115 caninclude a plurality of sensors, such as inertial navigation sensorsINS-1 120A and INS-2 120B and satellite navigation system sensors SNS-1125A and SNS-2 125B. In example, the plurality of sensors in the sensorarray 115 can include a number of subsets, such as subsets based onhomogeneous type (e.g., inertial navigation system as a first type andsatellite navigation system as a second type).

The system defense component 145 can include a sensor interface 150. Thesensor interface 150 includes hardware to communicatively receive orretrieve data from the sensors 120-125 in the sensor array 115. Thesensor interface 150 also includes hardware to provide the sensor datato other components of the system defense component, such as thesampling circuit set 155, the cluster circuit set 160, or the alertcircuit set 165.

The sampling circuit set 155 can sample sensor disagreements between theplurality of sensors over time. In an example, to sample sensordisagreements between the plurality of sensors over time can includeobtaining a first data set for a first sensor set, obtain a second dataset for a second sensor set determine a disagreement between the firstdata set and the second data set. Such result comparisons for sensordisagreements can be performed in a number of ways. For example, theresult of a first sensor can be directly compared with the result of asecond sensor and when the results do not match, either exactly orwithin a threshold, a disagreement is registered. However, sensordiversity in sourcing (e.g., who makes the sensor) and operation (e.g.,what hardware is used) can make it more difficult to attack. Thisdiversity may include diverse operating characteristics, making directresult comparison a less reliable indication of actual sensordisagreement. This issue may be compounded when disagreements betweendifferent types of sensors are sought.

In an example, to address the direct comparison issues mentioned above,determining the disagreement between the first data set and the seconddata set can include combining the first data set with the second dataset to create a measurement data set, calculating a set of residuals forthe measurement data set, and determining that a mean for the residualsis beyond a threshold in relation to an expected mean for the residuals.Thus, a statistical model is applied to the differences between the twodata sets to ascertain whether they are behaving as they should. Belowis a discussion of the ability to use the mean of the residuals toascertain undue influence in one or another sensor.

First, the state of the UAV 105 navigation can be modeled for multiplesatellite navigation system sensors 125 and inertial navigation systemsensors 125 as a linear time-invariant stochastic system with Gaussiannoise (which accounts for modeling errors, uncertainties, or systemexternal perturbations). Such as system can be expressed in the mannerillustrated below:

Let x be the state of the UAV 105, where:

x₁:=x-axis coordinate position

x₂:=x-axis component of velocity

x₃:=_(y)-axis coordinate position

x₄:=_(y)-axis component of velocity

Inertial Navigation System components (M units):

$\begin{matrix}{{x_{a}^{(1)}\left( {k + 1} \right)} = {{{Ax}_{a}(k)} + {{Bu}_{a}(k)} + {B_{c}{a_{c}(k)}} + {\partial{{Tw}^{(1)}(k)}}}} \\{{x_{a}^{(2)}\left( {k + 1} \right)} = {{{Ax}_{a}(k)} + {{Bu}_{a}(k)} + {B_{c}{a_{c}(k)}} + {\partial{{Tw}^{(2)}(k)}}}} \\\vdots \\{{x_{a}^{(M)}\left( {k + 1} \right)} = {{{Ax}_{a}(k)} + {{Bu}_{a}(k)} + {B_{c}{a_{c}(k)}} + {\partial{{Tw}^{(M)}(k)}}}}\end{matrix}$

Satellite Navigation System components (N units):

$\begin{matrix}{{z_{a}^{(1)}(k)} = {{C^{1}{x_{a}(k)}} + {B_{o}{a_{o}(k)}} + {v^{(1)}(k)}}} \\{{z_{a}^{(2)}(k)} = {{C^{1}{x_{a}(k)}} + {B_{o}{a_{o}(k)}} + {v^{(2)}(k)}}} \\\vdots \\{{z_{a}^{(N)}(k)} = {{C^{1}{x_{a}(k)}} + {B_{o}{a_{o}(k)}} + {v^{(N)}(k)}}}\end{matrix}$

where X_(a)(k)ϵ

^(l), u(k)ϵ

^(p), z_(a)(k)ϵ

^(t) are the system state, inputs of the inertial navigations systemunits, and the measurement of the satellite navigation units, and wherew^(j)(k)ϵ

^(q)(k), v^(i)(k)ϵ

^(t) Mare process and measurement noise. The w(k) and v(k) componentsare Gaussian white noise of the inertial navigation system and satellitenavigation system measurements respectively, with constant covariancematrices Q and R. Further, let

$A = \begin{bmatrix}1 & T_{S} & 0 & 0 \\0 & 1 & 0 & 0 \\0 & 0 & 1 & T_{S} \\0 & 0 & 0 & 1\end{bmatrix}$ $B = \begin{bmatrix}\frac{T_{S}^{2}}{2} & 0 \\T_{S} & 0 \\0 & \frac{T_{S}^{2}}{2} \\0 & T_{S}\end{bmatrix}$ $C = \begin{bmatrix}1 & 0 & 0 & 0 \\0 & 0 & 1 & 0\end{bmatrix}$ ${\partial T} = \begin{bmatrix}\frac{T_{S}^{2}}{2} \\T_{S} \\\frac{T_{S}^{2}}{2} \\T_{S}\end{bmatrix}$

where B_(o), B_(c) are the attack matrices and a_(o)(k), a_(c)(k) arepersistent, linear deception attacks against the satellite navigationsystems and inertial navigation systems at time k respectively.

Given this model of the system, similarity analysis between thesecomponents can be carried out as with the following component specificsimilarity analyses.

Similarity between two inertial navigation system components can look avelocity or acceleration residuals between the two components. Selectionof particular sensor outputs for comparison, rather than all components,can alleviate identified senor issues, such as compounding drift ininertial navigation sensors. The residual of the accelerationmeasurement for the two inertial navigation system components is:

r₁(k) = (Bu_(a)⁽¹⁾(k) + B_(c)a_(c)⁽¹⁾ + ∂Tw⁽¹⁾(k)) − (Bu_(a)⁽²⁾(k) + B_(c)a_(c)⁽²⁾ + ∂Tw⁽²⁾(k)) = B(u_(a)⁽¹⁾(k) − u_(a)⁽²⁾(k)) + ∂T(w⁽¹⁾(k) − w⁽²⁾(k)) + α_(c)(k)

where a_(c)(k)=B(a_(c) ⁽¹⁾(k)−a_(c) ⁽²⁾(k)). Given this, becausew^((i))(k) is a zero-mean Gaussian, and because u_(a) ⁽¹⁾(k)=u_(a)⁽²⁾(k), we have:

N(0,∂T′(Q ⁽¹⁾ +Q ⁽²⁾)∂T)˜∂T(w ⁽¹⁾(k)−w ⁽²⁾(k))

If α_(c)(k)≠0, then r₁(k) loses its non-zero Gaussian characteristic.Thus, a valid test for sensor deviation (e.g., based on a securityintrusion) is to test the non-zero mean normality of the residuals,which can be performed with the compound scalar test. Since r(k) is abivariate standard normally distributed random variable, let

₁(k)=r ₁(k)^(T)((C ^(T) ∂TC)Σ_(r) ₁ ⁻¹(C ^(T) ∂TC))r ₁(k)

be the sum of squares of the residual with two degrees of freedombetween the two inertial navigation system acceleration measurementswith covariance matrix

Σ_(r) ₁ =Q ⁽¹⁾ +Q ⁽²⁾

With the application of the compound scalar test to assess the normalityof the residuals, the hypothesis test becomes:

₀ : X(

₁(k))<threshold

₁ : X(

₁(k))>threshold

where

₁ signifies a disagreement at time k. In an example, the threshold is0.99.

As demonstrated above, the differences between the two sensor readings,at a point in time—e.g., within a tolerance threshold such that tworeadings are considered at the same point in time, the tolerancethreshold providing sufficient resolution to produce a meaningful resultgiven the application—can be tested for conformance to a probabilitydistribution to determine disagreement between the sensors. Although thespecifics of some terms vary, the application of the above techniqueoperates in the same way for disagreement (e.g., similarity) testing ofsatellite navigation system sensors and between inertial navigationsystem sensors and satellite navigation system sensors because theresiduals are Gaussian distributed random variables.

In an example, between two satellite navigation systems, the residualsof the satellite navigation system measurements (represented above asz_(a) ^((N))) can be used. For example, for two satellite navigationsensors 1 and 2, the residual is

$\begin{matrix}{{r_{2}(k)} =} & {{{z_{a}^{(1)}(k)} - z_{a}^{(2)}}} \\{=} & {{\left( {{{Cx}_{a}(k)} + {B_{o}{a_{o}^{(1)}(k)}} + {v^{(1)}(k)}} \right) -}} \\ & {\left( {{{Cx}_{a}(k)} + {B_{o}{a_{o}^{(1)}(k)}} + {v^{(1)}(k)}} \right)} \\{=} & {{\left( {{v^{(1)}(k)} - {v^{(2)}(k)}} \right) + {\alpha_{0}(k)}}}\end{matrix}$

where a₀(k)=B₀(a₀ ⁽¹⁾(k)−a₀ ⁽²⁾(k)). Because v^((i)) is a zero-meanGaussian random variable, we have:

N(0,R ⁽¹⁾ +R ⁽²⁾)˜(v ⁽¹⁾(k)−v ⁽²⁾(k))

Again, if α₀(k)≠0, then r₁ loses its non-zero Gaussian characteristics.Thus, the scalar compound test can be used to assess a deviation. Let Xbe the sum of squares of the residual:

₂(k)=r ₂(k)^(T)(Σ_(r) ₂ ⁻¹)r ₂(k)

Σ_(r) ₂ =R ⁽¹⁾ +R ⁽²⁾

and the compound scalar test hypothesis becomes:

₀ :X(

₂(k))<threshold

₁ : X(

₂(k))>threshold

where

₁ signifies a disagreement at time k. In an example, the threshold is0.99.

In an example, between a satellite navigation system sensor and aninertial navigation system sensor, the position residuals (respectivelyrepresented above as z_(a) ^((N)) and x_(a) ^((M))) can be used. Forexample, the residual of the inertial navigation system sensor and thesatellite navigation sensor is:

r ₃(k)=x _(a) ⁽¹⁾(k)−z _(a) ⁽¹⁾(k)=CAx _(a) ⁽¹⁾(k−1)+CBu(k−1)0Cx_(a)(k)+[B ₀ a ₀ ⁽¹⁾(k)−B _(c) a _(c) ⁽¹⁾(k)]+[C∂Tw ⁽¹⁾(k−1)−v ⁽¹⁾(k)]

And has a non-zero mean Gaussian characteristic. Further, assume that,

CAx _(a) ⁽¹⁾(k−1)+CBu(k−1)=Cx _(a)(k)

and, absent an attack,

B ₀ a ₀ ⁽¹⁾(k)+B _(c) a _(c) ⁽¹⁾(k)=0

then r₃ (k) is a Gaussian distributed random variable, with covariance

Σ_(r) ₃ =c∂T ^(T) C ^(T) Q ⁽¹⁾ C ^(T) ∂TC+R ⁽¹⁾

and sum of squares is

₃(k)=r ₃(k)^(T)Σ_(r) ₃ ⁻¹ r ₃(k)

then the compound scalar test hypothesis becomes:

₀ : X(

₃(k))<threshold

₁ :X(

₃(k))>threshold

where

₁ signifies a disagreement at time k. In an example, the threshold is0.99.

These principles or residual normality testing are similarly applicableto disagreement testing of other sensors, such as rotational sensors,altitude tensors, thermometers, etc. Thus truly disparate sensors can betested for agreement, providing a robust and secure sensing platform forcyber-physical systems.

Returning to the more general case, in an example, the first sensor setand the second sensor set can consist of members of a first type ofsensor. Thus, the same type of sensor is compared against each other.Sensor types can classified based on how the physical measurement taken(e.g., current generated in a piezo electric device under mechanicalstress). In an example, the sensor type is classified based on themechanism used to achieve the measurement. In an example, the firstsensor set can consist of a first type of sensor and the second sensorset can consist of a second type of sensor. Thus, in this example, thetwo sensor sets represent different types of sensors that use adifferent mechanism to arrive at some common measurement. For example,both satellite navigation systems and inertial navigation systems canprovide an absolute position of the UAV 105, but each uses a differentmechanism to arrive at the position measurement.

The cluster circuit set 160 can perform cluster analysis on the sampledsensor disagreements. As noted above, diversity in sensor number (e.g.,the more sensors used), manufacturer (e.g., multiple manufacturers areharder to infiltrate in order to compromise a device), and type (e.g.,an inertial navigation system and a barometer to measure altitude havedifferent attack vectors) tend to lead to increased robustness of thesystem. However, such variety can lead to reduced uniformity inmeasurement results at any given moment. To address this issue, ananalysis of the disagreement signals produced by ascertaining sensordisagreements over time can reduce false positive alerts and providegreater confidence in identifying a malfunctioning sensor.

Normative testing can provide a profile of false disagreements betweensensors. For example, suppose the disagreement signal is an exponentialdistribution with a fixed arrival rate (false disagreement rate). Thus,the disagreement signal will include disagreement indications betweenthe two sensors at fixed intervals. If X_(i) is the time of the ithfalse disagreement, then X_(i-N)−X_(i) is the time between ith falsedisagreement and the i+N false disagreement. When a sensor deviationoccurs, the disagreement indications in the disagreement signal cluster.Thus, the interim arrival rate of the disagreement indications (i.e.X_(i-N)−X_(i) will tend to be short, or getting shorter over time.

In an example, performing the cluster analysis can include determiningwhether a predetermined number of disagreements occurred within acalculated period of time. This is effective because the shorter interimarrival times of the disagreement indications increase the number ofindications in fixed time windows. In an example, the calculated timeperiod can be calculated via an inverse Gamma function with aprobability parameter, a sample-size parameter, and a time-of-arrivalparameter, the time-of-arrival parameter determined via measurement of asensor system during normative testing. For example, for a givenprobability P, if X_(i-N)−X_(i)<T a cluster can identified, where

$T = {{InvGamma}\left( {P,N,\frac{1}{R}} \right)}$

and

-   -   N=number of disagreement indications    -   R=time of arrival of each disagreement indication

Consider the values for the given parameters: P=0.05, N=10, and R=rateof false alarms during normative testing, then T=542. Thus, in thisscenario, the calculated time period (e.g., time window) in which 10disagreements is concerning is 542 units.

The alert circuit set 165 can provide a deviation indication in responseto the cluster analysis resulting in disagreement density beyond athreshold. As noted above, the cluster analysis provides an indicationwhen the threshold is met, such as a predefined number of disagreementindications within the calculated time period. The deviation indicationcan be a variety of indications, such as an alarm, a disabling signalfor the deviating sensor, initiation of an investigation into the sourceof the deviation (e.g., determining whether a false signal ismanipulating the sensor), a log entry, etc. In an example, the deviationindication can indicate which sensor of the plurality of sensors is thesource of the deviation. In an example, a relationship structure, suchas a decision tree, can be applied to pairs (or other combinations) ofsensors in the plurality of sensors using disagreements in the datasetthat provided the deviation indication. That is, time correlateddisagreements that resulted in the deviation indication can be comparedto determine which sensor disagrees with others while eliminating fromconsideration those sensors that agree with the others. An example ofsuch a decision tree is described below with respect to FIG. 3.

By applying the components and techniques described herein, theasynchronous nature of system attack and defense in perimeter defense isaddressed. Disparate sensors can be used to control a cyber-physicalsystem and misbehaving sensors can be reliably detected and dealt with.Thus, cyber-physical system builders and users can deploy criticalsystems with greater confidence in the ability of these systems towithstand attacks from malicious entities.

FIGS. 2A and 2B illustrates an example of a disagreement signal clusteranalysis timeline 200, according to an embodiment. As described above,during a normative period (e.g., when the system is operating normallyand is not under attack) disagreements between two sensors can stilloccur for a variety of reasons (e.g., differing calibration, errortolerances, measurement mechanism, etc.). FIG. 2A illustrates anormative period of the timeline 200, with disagreement indications S-1through S-6. Although illustrated having a fixed interim arrival times,varying intervals can also be addressed because a cluster of suchindications is not expected to occur during normative operation.

FIG. 2B illustrates a later period in the disagreement signal clusteranalysis timeline 200, starting at S−N and moving through S−(N+M). Inthis portion of the time line, region 205 indicates the calculated timeperiod discussed above. The increased density of the disagreements inthe timeline 200 indicates that a deviation is occurring. If the numberof disagreements with the time period 205 is greater than the numberused to calculate the time period 205 (e.g., 10 as described above),then an alert, or other deviation indication can be produced.

FIG. 3 illustrates an example of a deviating sensor decision tree 300,according to an embodiment. As described above, a decision tree, orother mechanism can be used to determine which sensor of a plurality ofsensors is causing problems. In the example of the decision tree 300applies to a system with two inertial navigation system sensors and twosatellite navigation system sensors. In an example, the disagreementsdiscussed below are determined after the cluster analysis results in adisagreement indication.

At the decision 305, it is tested whether or not the two inertialnavigation system sensors agree with each other (i.e., that they did notdisagree). If the two inertial navigation system sensors do agree witheach other, then decision 310 determines whether the two satellitenavigation system sensors agree with each other. If decision 310 is alsoaffirmative, it can be concluded that the intra type checks indicatethat no problem exists. However to address a sensor type attack (e.g.,an attack effective across the entire sensor type, such as a globalposition system spoof attack), the first satellite navigation systemsensor is compared to the first inertial navigation system sensor aredecision 315. If decision 315 indicates an agreement, then no alarm 320is imitated. However, if the decision 315 indicates a disagreement, thealarm 325 can be initiated and indicate a spoofing attack on thesatellite navigation system sensors.

Moving back to the decision 310, a disagreement between the satellitenavigation system sensors where the inertial navigation sensors agree(at decision 305) indicates that one of the satellite navigation sensorsis deviating. To determine which of the two satellite navigation sensorsis the offending sensor, the first satellite navigation sensor can betested for agreement with a trusted sensor (e.g., the first inertialnavigation sensor) at decision 330. If the first satellite navigationsensor does not agree with the first inertial navigation system sensor,then the alarm 340 can indicate that the first satellite navigationsystem sensor is the offending sensor. Otherwise, the alarm 335 canindicate that the second navigation system sensor is the offendingsensor.

Moving back to the decision 305, if the inertial navigation sensorsdisagree, one of them is the offending sensor. At the decision 345, thesatellite navigation sensors can be tested for agreement. It is notedthat if these sensors do not agree, the decision tree cannot make adetermination because either of the inertial navigation sensors is anoffender and either of the satellite navigation system sensors is anoffender, and thus there is no trusted sensor than can be used todetermine which of each type of sensor is an offender. However, if thetwo satellite navigation sensors do agree with each other, each can beconsidered a trusted sensor—assuming that an attacker could notsimultaneously perform a spoof attack and compromise an inertialnavigation system sensor—to test the first inertial navigation sensor atdecision 350. If the first inertial navigation sensor disagrees with asatellite navigation system sensor, then the alarm 355 can indicate thatthe first inertial navigation sensor is the offending sensor. Otherwise,alarm 360 can indicate that the second inertial navigation sensor is theoffending sensor.

The decision tree 300 performs a trust analyses on some sensors that canthen be used to test other sensors. Such relationships can be exploitedin other sensor arrangements. Moreover, some sensors may be moreimpervious to attack, and thus tested first to establish a trustedsensor set early in the process, such as the initial testing of theinertial navigation system sensors at decision 305. In an case, thenumber of sensors tested can be increased, and the specific order oftesting can be varied as long as the final result is determinative of anoffending set of sensors.

FIG. 4 illustrates an example of a method 400 for cyber-physicaldefense, according to an embodiment. The operations of the method 400are implemented in computing hardware or carried out via computinghardware instructed by software. Example components are described abovewith respect to FIG. 1 and below with respect to FIG. 5.

At operation 405, sensor data for plurality of sensors can be monitored.The plurality of sensors can include a first set of sensors (e.g.,consisting of a first single type such as satellite navigation systems)with a cardinality greater than one and a second set of sensors (e.g.,consisting of a second single type such as inertial navigation systems)also with a cardinality greater than one.

At operation 410, a disagreement signal can be created (e.g., generated)by calculating time correlated disagreements between sensors in thefirst set of sensors, between sensors in the second set of sensors, andbetween sensors in the first set of sensors and the second set ofsensors. Thus, intra-set disagreements for both sets of sensors as wellas inter-set disagreements between the two sets are determined.

Sensor disagreements can be determined via a statistical analysis of acommon output by two sensors. In an example, residuals between twosensors can be computed and subjected to the statistical analysis. In anexample, normality of the residuals over time can be used to ascertainwhether a disagreement exists. In an example, the common output may bederived, such as a position output by an inertial navigation system. Inan example, disagreements between sensors of the first set of sensorscan be calculated by measuring the normality of the residuals ofsatellite measurements between two sensors. In an example, disagreementsbetween sensors of the second set of sensors can be calculated bymeasuring the normality of the residuals of acceleration between twosensors. In an example, disagreements between sensors of the first setof sensors and the second set of sensors can be calculated by measuringthe normality of the residuals of position between a sensor in the firstset of sensors and a sensor in the second set of sensors.

At operation 415, the disagreement signal can be sampled and adetermination that the sampled disagreement signal has an interimarrival rate below a threshold can be made. As noted above, disparatesensors may disagree at times by virtue of differing operatingparameters, quality, or other factors. However, when one sensor is beingmanipulated, the frequency of disagreements rises, resulting in aclustering of disagreements in time (e.g., as illustrated in FIGS. 2Aand 2B). In an example, the threshold is a time period with magnitudedetermined via an inverse Gamma function with a probability parameter, asample-size parameter, and a time-of-arrival parameter, thetime-of-arrival parameter determined via measurement of a sensor systemduring normative testing. Such a threshold illustrates a period in whichdisagreement density is beyond that of the system when it is not underattack.

At operation 420, an alarm can be provided in response to determiningthat the sampled disagreement signal has an interim arrival rate below athreshold. In an example, the alarm can include identification of asensor in the plurality of sensors deemed to be compromised. Asdescribed above with respect to FIGS. 1 and 3, different sensor pairingstructures can be used to make this identification. In an example, thesensor is deemed to be compromised when it disagrees with other sensorsin the plurality of sensors and the other sensors in the plurality ofsensors agree with each other. That is, an identification of a sensorthat disagrees with one or more other sensors where those other sensorsagree with each other.

FIG. 5 illustrates a block diagram of an example machine 500 upon whichany one or more of the techniques (e.g., methodologies) discussed hereinmay perform. In alternative embodiments, the machine 500 may operate asa standalone device or may be connected (e.g., networked) to othermachines. In a networked deployment, the machine 500 may operate in thecapacity of a server machine, a client machine, or both in server-clientnetwork environments. In an example, the machine 500 may act as a peermachine in peer-to-peer (P2P) (or other distributed) networkenvironment. The machine 500 may be a personal computer (PC), a tabletPC, a set-top box (STB), a personal digital assistant (PDA), a mobiletelephone, a web appliance, a network router, switch or bridge, or anymachine capable of executing instructions (sequential or otherwise) thatspecify actions to be taken by that machine. Further, while only asingle machine is illustrated, the term “machine” shall also be taken toinclude any collection of machines that individually or jointly executea set (or multiple sets) of instructions to perform any one or more ofthe methodologies discussed herein, such as cloud computing, software asa service (SaaS), other computer cluster configurations.

Examples, as described herein, may include, or may operate by, logic ora number of components, or mechanisms. Circuit sets are a collection ofcircuits implemented in tangible entities that include hardware (e.g.,simple circuits, gates, logic, etc.). Circuit set membership may beflexible over time and underlying hardware variability. Circuit setsinclude members that may, alone or in combination, perform specifiedoperations when operating. In an example, hardware of the circuit setmay be immutably designed to carry out a specific operation (e.g.,hardwired). In an example, the hardware of the circuit set may includevariably connected physical components (e.g., execution units,transistors, simple circuits, etc.) including a computer readable mediumphysically modified (e.g., magnetically, electrically, moveableplacement of invariant massed particles, etc.) to encode instructions ofthe specific operation. In connecting the physical components, theunderlying electrical properties of a hardware constituent are changed,for example, from an insulator to a conductor or vice versa. Theinstructions enable embedded hardware (e.g., the execution units or aloading mechanism) to create members of the circuit set in hardware viathe variable connections to carry out portions of the specific operationwhen in operation. Accordingly, the computer readable medium iscommunicatively coupled to the other components of the circuit setmember when the device is operating. In an example, any of the physicalcomponents may be used in more than one member of more than one circuitset. For example, under operation, execution units may be used in afirst circuit of a first circuit set at one point in time and reused bya second circuit in the first circuit set, or by a third circuit in asecond circuit set at a different time.

Machine (e.g., computer system) 500 may include a hardware processor 502(e.g., a central processing unit (CPU), a graphics processing unit(GPU), a hardware processor core, or any combination thereof), a mainmemory 504 and a static memory 506, some or all of which may communicatewith each other via an interlink (e.g., bus) 508. The machine 500 mayfurther include a display unit 510, an alphanumeric input device 512(e.g., a keyboard), and a user interface (UI) navigation device 514(e.g., a mouse). In an example, the display unit 510, input device 512and UI navigation device 514 may be a touch screen display. The machine500 may additionally include a storage device (e.g., drive unit) 516, asignal generation device 518 (e.g., a speaker), a network interfacedevice 520, and one or more sensors 521, such as a global positioningsystem (GPS) sensor, compass, accelerometer, or other sensor. Themachine 500 may include an output controller 528, such as a serial(e.g., universal serial bus (USB), parallel, or other wired or wireless(e.g., infrared (IR), near field communication (NFC), etc.) connectionto communicate or control one or more peripheral devices (e.g., aprinter, card reader, etc.).

The storage device 516 may include a machine readable medium 522 onwhich is stored one or more sets of data structures or instructions 524(e.g., software) embodying or utilized by any one or more of thetechniques or functions described herein. The instructions 524 may alsoreside, completely or at least partially, within the main memory 504,within static memory 506, or within the hardware processor 502 duringexecution thereof by the machine 500. In an example, one or anycombination of the hardware processor 502, the main memory 504, thestatic memory 506, or the storage device 516 may constitute machinereadable media.

While the machine readable medium 522 is illustrated as a single medium,the term “machine readable medium” may include a single medium ormultiple media (e.g., a centralized or distributed database, and/orassociated caches and servers) configured to store the one or moreinstructions 524.

The term “machine readable medium” may include any medium that iscapable of storing, encoding, or carrying instructions for execution bythe machine 500 and that cause the machine 500 to perform any one ormore of the techniques of the present disclosure, or that is capable ofstoring, encoding or carrying data structures used by or associated withsuch instructions. Non-limiting machine readable medium examples mayinclude solid-state memories, and optical and magnetic media. In anexample, a massed machine readable medium comprises a machine readablemedium with a plurality of particles having invariant (e.g., rest) mass.Accordingly, massed machine-readable media are not transitorypropagating signals. Specific examples of massed machine readable mediamay include: non-volatile memory, such as semiconductor memory devices(e.g., Electrically Programmable Read-Only Memory (EPROM), ElectricallyErasable Programmable Read-Only Memory (EEPROM)) and flash memorydevices; magnetic disks, such as internal hard disks and removabledisks; magneto-optical disks; and CD-ROM and DVD-ROM disks.

The instructions 524 may further be transmitted or received over acommunications network 526 using a transmission medium via the networkinterface device 520 utilizing any one of a number of transfer protocols(e.g., frame relay, internet protocol (IP), transmission controlprotocol (TCP), user datagram protocol (UDP), hypertext transferprotocol (HTTP), etc.). Example communication networks may include alocal area network (LAN), a wide area network (WAN), a packet datanetwork (e.g., the Internet), mobile telephone networks (e.g., cellularnetworks), Plain Old Telephone (POTS) networks, and wireless datanetworks (e.g., Institute of Electrical and Electronics Engineers (IEEE)802.11 family of standards known as Wi-Fi®, IEEE 802.16 family ofstandards known as WiMax®), IEEE 802.15.4 family of standards,peer-to-peer (P2P) networks, among others. In an example, the networkinterface device 520 may include one or more physical jacks (e.g.,Ethernet, coaxial, or phone jacks) or one or more antennas to connect tothe communications network 526. In an example, the network interfacedevice 520 may include a plurality of antennas to wirelessly communicateusing at least one of single-input multiple-output (SIMO),multiple-input multiple-output (MIMO), or multiple-input single-output(MISO) techniques. The term “transmission medium” shall be taken toinclude any intangible medium that is capable of storing, encoding orcarrying instructions for execution by the machine 500, and includesdigital or analog communications signals or other intangible medium tofacilitate communication of such software.

Additional Notes

The above detailed description includes references to the accompanyingdrawings, which form a part of the detailed description. The drawingsshow, by way of illustration, specific embodiments that may bepracticed. These embodiments are also referred to herein as “examples.”Such examples may include elements in addition to those shown ordescribed. However, the present inventors also contemplate examples inwhich only those elements shown or described are provided. Moreover, thepresent inventors also contemplate examples using any combination orpermutation of those elements shown or described (or one or more aspectsthereof), either with respect to a particular example (or one or moreaspects thereof), or with respect to other examples (or one or moreaspects thereof) shown or described herein.

All publications, patents, and patent documents referred to in thisdocument are incorporated by reference herein in their entirety, asthough individually incorporated by reference. In the event ofinconsistent usages between this document and those documents soincorporated by reference, the usage in the incorporated reference(s)should be considered supplementary to that of this document; forirreconcilable inconsistencies, the usage in this document controls.

In this document, the terms “a” or “an” are used, as is common in patentdocuments, to include one or more than one, independent of any otherinstances or usages of “at least one” or “one or more.” In thisdocument, the term “or” is used to refer to a nonexclusive or, such that“A or B” includes “A but not B,” “B but not A,” and “A and B,” unlessotherwise indicated. In the appended claims, the terms “including” and“in which” are used as the plain-English equivalents of the respectiveterms “comprising” and “wherein.” Also, in the following claims, theterms “including” and “comprising” are open-ended, that is, a system,device, article, or process that includes elements in addition to thoselisted after such a term in a claim are still deemed to fall within thescope of that claim. Moreover, in the following claims, the terms“first,” “second,” and “third,” etc. are used merely as labels, and arenot intended to impose numerical requirements on their objects.

The above description is intended to be illustrative, and notrestrictive. For example, the above-described examples (or one or moreaspects thereof) may be used in combination with each other. Otherembodiments may be used, such as by one of ordinary skill in the artupon reviewing the above description. The Abstract is to allow thereader to quickly ascertain the nature of the technical disclosure andis submitted with the understanding that it will not be used tointerpret or limit the scope or meaning of the claims. Also, in theabove Detailed Description, various features may be grouped together tostreamline the disclosure. This should not be interpreted as intendingthat an unclaimed disclosed feature is essential to any claim. Rather,inventive subject matter may lie in less than all features of aparticular disclosed embodiment. Thus, the following claims are herebyincorporated into the Detailed Description, with each claim standing onits own as a separate embodiment. The scope of the embodiments should bedetermined with reference to the appended claims, along with the fullscope of equivalents to which such claims are entitled.

What is claimed is:
 1. A system for cyber-physical system defense, thesystem comprising: a sensor interface to receive sensor data from aplurality of sensors; a sampling circuit set to sample sensordisagreements between the plurality of sensors over time; a clustercircuit set to perform cluster analysis on the sampled sensordisagreements; and an alert circuit set to provide a deviationindication in response to the cluster analysis resulting in disagreementdensity beyond a threshold.